Conventional computerized devices, such as personal computers or laptop computers, connect to computer networks such as the Internet to transmit and receive content or data with other computerized devices in communication with the network. While connected to the network, the conventional computerized devices can be subject to receive malware, such as computer viruses, worms, spy-ware, spam, or other types of unauthorized applications or content (hereafter referred to as “malware”). unauthorized connections. For example, computerized devices typically include anti-virus applications that prevent execution of malicious programs that can harm the computer system. During operation, an anti-virus application associated with the computerized device can detect, note the presence, and/or remove viruses, thereby helping minimize the effect or proliferation of the virus. In another example, computerized devices such as routers or switches typically include firewall applications that limit certain data communications traffic from entry into a portion of a network. During operation, the firewall applications detect and prevent attempted connections to the associated computerized devices for which the traffic is destined.
A computer resource can become infected via any number of different interface “vectors.” One of the most common is infection from a public network connection. For example, laptop computers are often configured to move between locations and connect to different networks. In addition to connecting their laptop computer to the corporate Local Area Network (LAN), users frequently, connect that same laptop computer to other networks that provide a direct connection to the Internet. It is while connected to these other networks that the laptop computer may become infected with malware (e.g., such as viruses or worms). When the laptop reattaches to the corporate LAN, the malware can then infiltrate the corporate network and impair the operation of that network and its associated resources.
To minimize the risk of a network and its resources becoming infected by malware, network-based vulnerability scanners can be used to assess the security “posture” of devices connected to that network. These scans are typically performed on the basis of a predefined scanning schedule. For example, in the case where the operator disconnects the laptop from the second network and reconnects the laptop to the conventional LAN, a vulnerability scanner application scans the reconnected computer (e.g., the applications on the laptop) based upon a predefined scanning schedule to assess the vulnerability “posture” of that laptop. If it is determined that the computer is vulnerable to one or more virus or worm exploits, other applications such as Antivirus Signature or Patch Management update programs may be invoked to mitigate those vulnerabilities and/or remove exploits that have managed to gain a foothold.
For example, assume a user connects a laptop computer to a Local Area Network (LAN) operated by a business and, at a later time, disconnects the laptop computer from the LAN and connects the laptop to a second network, such as the Internet. Further assume that while connected to the second network, prior to reconnecting with the corporate LAN, the laptop becomes infected with an unauthorized application, such as a virus or worm. Also assume that a scanning application periodically scans computerized devices connected to LAN (e.g., once a day) for the presence of known vulnerabilities in the device operating system, resident applications, associated security programs, and their respective configurations. In the case where a computer connects to the LAN between scheduled scans, that computer can transmit malware onto the network, its resources, and any other device connected to that network. In addition to infecting and impairing the operation of these other devices this malware could impair the operation of the network itself
Another problem with conventional network-based security scanning systems is that the systems cannot always reliably collect the necessary information or detect that there is a problem, either because the systems are unable to access the appropriate information, did not have proper administrative authority, or the time required exceeds predefined resource schedules. These systems also are typically signature-based and only scan for vulnerabilities and exploits that are known a priori. This is why most vulnerability scanners and antivirus applications require periodic signature updates, which creates its own form of race condition relative to the latest class of exploits. This race condition is frequently referred to as a “Day Zero” problem; in that signature based systems frequently are unable to detect the latest exploits on “day zero.” It is only after they are updated with the latest signatures that this new class of exploit or vulnerability can be detected.
For example, conventional remote antivirus and vulnerability scanning systems are limited to determining if a computer system operating on a network is configured with up to date virus definitions. Such systems do not provide a mechanism to inquire as to other configuration settings of the computer system operating on the network. By way of a specific example, it may be determined that a certain type and/or version of certain software application contains a known security threat to a network. Virus scanning software may be unable to deal with determining if the application is installed on the computer system. To generalize, conventional security mechanisms do not provide the ability to query the computer system for specific configuration information related to applications, the operating system, virus software, or other security information that may be used to determine the overall “safeness” or security threat that a particular computer poses when operating on a network.